Personal Information as a Security Vector

Personal information such as SSN, medical records, and academic records are as secure as the knowledge that the staff has gained in order to protect the information. The security team can be well trained in computer and physical security. They can be the expert in the field of cryptography and a firewall or security architect, but if the security team does not train and pass along some of their knowledge then it will not be long before the information that they are trying to protect will be owned by an evil cracker that knows how to get within the company and compromise the integrity of the data.

No matter how good a security policy is companies are always vulnerable to penetration from the outside or even from the inside. Just this past week the employees of my company was told that we could no longer bring USB devices or any other storage devices including personal laptops because one employee was caught bringing company information to his home. Although I was not informed of what information the employee was taking home or why, the fact is that he brought the information home. We used to have a program that was supposed to encrypt the drive and the drive would then only be useful only on the computer that encrypt the drive, so I’m not sure what happened with that security measure. The bad thing is my company deals with social security
numbers and medical information every day, so I know that system and procedure would not be HIPPIA compliant.

Also it would not be hard to gather the username and password of the employees at the company because most of the time the information is on their desk or you can just ask them and they will be happy to give you the information, and most of the time the users do not lock their desktops when they leave their desks. This provides instant access to every SSN in the country and the person that would get called out would be the user because SSA knows who accesses what SSN and when it is accessed.

Remember to go to the training classes when offered. If you don't then you may unknowingly give out personal information that you may not have the right to release.

Port Scanning

Port scanning is an invasive activity. Port scanning is the process of checking to see if a network is available or not. Port scanning can also cause denial of service on a network if it is scanned long enough. The type of scans that are done are half scans, FIN scans, XMAS scans and other stealth scans that could be used to penetrate a firewall. The ports can be filtered, opened, or closed.


Cases have been attempted to convict people for doing port scans, but the courts have time and time again said as long as people are just scanning they are not committing a crime. The rules do vary from state to state. One of the more famous cases is Moulton vs VC3 where Scott Moulton, a owner and operator of a security company was trying to test the county’s 911 system for vulnerabilities and discovered VC3’s firewall. The judge after Scott explained it to him agreed that it was not a crime. That was in 2000.

But just because it is not illegal by the law does not mean that it is not invasive and uses computer and network resources. It has to send traffic to each port in order to discover if it is an open or closed port. Even if you are not receiving data or information from the ports you are getting information about the network and the company’s network and infrastructure. You are learning how secure or unsecure they are. You in some instincts learn what programs or equipment they may be using.

What is Information Security?

It is about securing personal and private information. With information security you have to compromise between security and ease of use. A person can make a security system so secure that no one would use it. For example having a password 30 characters, a mixture of letters, numbers, and special characters. That would be a secure logon, but that also would cause the user to write the password down which is unsecure and anyone that stops by the users desk would be able to grab the password.

The only way to use passwords such as those would be to use a flash drive to copy the password into that logon box. The problem there is that most companies do not allow USB Flash drives within their system. Which is a compromise, so most businesses set-up a 8 character password limit of letters and numbers.

Security is all about accomplishing the business needs, and not as much about rock solid nobody break-in security. Sometimes security professionals forget all about the business needs, and without the business everyone would be without a job.

Next time you design a security system keep in mind how important is the data that your trying to secure, and also what is the business mission and goals are.